DORA: What the Digital Operational Resilience Act means for your organization
Cybersecurity is full of incredible people doing very clever things and putting the work in. Unfortunately, cybercriminals have been working hard too, and cyberattacks are on the rise.
It’s why organizations need to up their resilience in the face of cyber threats.
And, in January 2023, a significant piece of legislation means looking to and preparing for the future is even more vital.
Just as well then that we’ve been hard at work on our 2023 security awareness predictions report, a round-up of expert insights for the year and beyond. It’s what you need to know, delivered by your favorite human risk management startup (waggles eyebrows at you).
What is DORA?
In a nutshell:
The Digital Operational Resilience Act (DORA) is a regulation designed to help prevent and mitigate cyber threats.
It applies to the European Union’s financial services sector—and certain friends of the sector. More on the friends later.
Why was DORA created?
DORA’s mission is to ensure that the financial sector has the necessary safeguards in place to protect against cyber attacks—or at least limit the damage.
Which is just as well, because:
1. More interconnectivity in the sector means more vulnerability
Ever-increasing digital pathways between financial entities, services, and repositories means more opportunities for cybercriminals to intercept data and throw a spanner in the works.
2. The risk profile of the sector is changing because of the adoption of digital finance solutions
More organizations in the sector are going digital. So regulations need to keep up to be useful.
3. The financial sector relies heavily on third-party service providers
That means the resilience of these third-party services affects the stability of the financial sector. Hence DORA’s wide reach.
4. Sectors are stronger when entities act in unison, with a single, consistent approach
By ensuring financial entities move together, DORA aims to boost operational resilience across the EU financial market. DORA’s capacity for reinforcing ICT controls means a financial entity stands a better chance of withstanding, responding to, and recovering from all types of cyber disruptions and threats.
Who is affected by DORA?
While only EU member states are bound by the Digital Operational Resilience Act, the UK and other neighboring countries would do well to read up on the details.
Why? DORA likely indicates a direction of travel for nations with mature financial services sectors.
And, of course, if you do business with organizations complying with DORA, then you’ll need to know what it’s all about. Those organizations include:
Fund management companies
Electronic money institutions
Crypto-asset service providers
Crowdfunding service providers
Third-party ICT service providers. DORA classifies ICT providers as entities that offer consistent digital and data-related services. So, cloud platforms and data analytics providers, to name a few.
When is DORA coming into force?
So, what’s the Digital Operational Resilience Act timeline?
The European Council adopted DORA as early as 28 November 2022. On 16 January 2023, however, the final version was agreed upon and approved by the European Commission. It will apply from 17 January 2025.
Meanwhile, the European Supervisory Authorities (ESAs), which include the European Banking Authority (EBA), will establish technical standards that all financial services institutions of member states must adhere to, spanning from banking to insurance to asset management.
So, that’s long enough to make significant improvements to your security situation, but not long enough to procrastinate in getting started!
We’d say it’s time to get your ducks in a row.
What does DORA cover?
The legislation is built on five pillars, each of which challenges organizations in various ways.
- ICT risk management. How mature is your risk management setup? Are you applying proper processes?
- ICT incident reporting. How does your organization identify and communicate cyber incidents? Have people been given the tools they need to respond correctly?
- DOR testing. How mature is your penetration testing program?
- ICT third-party risk management. Does your third-party risk management program offer robust protection from hits to your organization’s stability?
- Information and intelligence sharing. How does your organization communicate about cybersecurity?
Let’s zero in on the fourth pillar for a second. Third-party risk management isn’t a new addition to the risk radar. With DORA, EU organizations must consider specific measures as outlined. These include requirements in relation to contractual arrangements. So legal teams and business leaders will have to work closely together.
As with any new regulation, there is a lot more to it than we’ve mentioned, so consider your bedtime reading covered for the next month or so.
What does this all mean for you?
DORA introduces requirements relating to incident management and testing operational resilience. Financial services and third-party services must meet these requirements.
The regulation requires organizations to train their employees on cyber resilience. But it also requires their suppliers to have the same level of understanding (so the training requirement is pushed out to suppliers, too). Crucially, boards and senior management should specifically be trained on incident response.
Simplification and streamlining will be key to achieving DORA cybersecurity compliance. An organization that’s aware of its security risks and its people’s security behaviors is an organization that will be in a stronger position to respond to these new legislative requirements.
Are you ready?
Remember, DORA’s five pillars have one aim: to enhance operational resilience. So, it’s time to take stock. Below are a few pointers to get you started. And don’t put it off—there will be penalties down the road for non-compliance, so this is one project you can’t afford to snooze.
- Say what? A culture of openness will be essential to encourage identification and reporting. Does this describe your organization’s culture?
2. Nice to nudge you. Does your organization help people make better choices? Take a look at this (free) database that uses science-based mechanisms to help you get people to make better security decisions.
3. Just help yourself. To smash DORA compliance and boost operational resilience, people need to know what to do, and how to do it, in the face of a security incident. Increasing security awareness is one thing, but offering on-demand help takes some of the mental load off your people.